A botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.
Almost 3,000 Oracle WebLogic servers are reachable over the Internet based on
Shodan stats and allow unauthenticated attackers to execute remote code on targeted servers according to a Juniper Threat Labs report.
While attackers are currently targeting potentially vulnerable WebLogic servers using at least five different payloads, the most interesting is the DarkIRC malware "currently being sold on hack forums for $75."
The threat actor selling the DarkIRC botnet on Hack Forums goes by the name of Freak_OG and started advertising it beginning with August 2020.
Juniper Threat Labs didn't say that this threat actor is behind the ongoing DarkICE attacks even though the filename of one of the recently detected payloads is similar to a FUD (Fully Undetected) Crypter filename also advertised by Freak_OG earlier this month.
"We are not certain if the bot operator who attacked our honeypot is the same person who is advertising this malware in Hack Forums or one of his/her customers," the report
reads.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
